You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 31, 2020. It is now read-only.
session_start() in SessionManager is causing a warning using an id with invalid characters. This behaviour should be handled to prevent problems like "information disclosures". An attacker can trigger the warning too easy.
There a three possible ways to handle the situation:
Suppress the warning, regenerate a new id, start the session again
if (! @session_start()) {
$this->regenerateId();
session_start();
}
Suppress the warning but also throw an exception that the session is not be started
if (! @session_start()) {
thrownewException\RuntimeException('Failed to start the session');
}
Just ignore the warning and move handling to the validators
@session_start();
I'm personally a fan of the first option because I think that the developer doesn't want to handle errors that occurred during session start. "If the session doesn't start, just ignore the user provided id and create a new/correct one."
Actual results
.../vendor/zendframework/zend-session/src/SessionManager.php:140
session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' [E_WARNING]
Zend\Session\Validator\Id is trying to address the problem, but fails to do so because the validation happens after session_start().
Related Issue
I found #21, but @SvenRtbg's comment is not 100% addressing what I'm concerned about.
My concern is information disclosures when the system is not handling warnings properly (never show any errors to the end user).
I hope the filed issue is clear and has enough details. Let me know if you need more background.
Best regards
The text was updated successfully, but these errors were encountered:
session_start(): error getting session from memcached: (0x7f4238e96300) A BAD KEY WAS PROVIDED/CHARACTERS OUT OF RANGE, Key provided had invalid character. -> libmemcached/key.cc:103
and this is also, because SessionManager validates session_id after session_start()
I checked @sbani code to reproduce this issue, and I can see that even though session_id does not validate, the session was created on the memcache side
Hi,
session_start()
inSessionManager
is causing a warning using an id with invalid characters. This behaviour should be handled to prevent problems like "information disclosures". An attacker can trigger the warning too easy.Code to reproduce the issue
Reproduce The Issue
Expected results
There a three possible ways to handle the situation:
@session_start();
I'm personally a fan of the first option because I think that the developer doesn't want to handle errors that occurred during session start.
"If the session doesn't start, just ignore the user provided id and create a new/correct one."
Actual results
Zend\Session\Validator\Id
is trying to address the problem, but fails to do so because the validation happens aftersession_start()
.Related Issue
I found #21, but @SvenRtbg's comment is not 100% addressing what I'm concerned about.
My concern is information disclosures when the system is not handling warnings properly (never show any errors to the end user).
I hope the filed issue is clear and has enough details. Let me know if you need more background.
Best regards
The text was updated successfully, but these errors were encountered: